CVE-2022-23317
📋 TL;DR
CVE-2022-23317 is an improper authentication vulnerability in Cobalt Strike's HTTP(S) listener that allows attackers to bypass authentication by sending requests without a leading slash in the URL. This affects all Cobalt Strike users running vulnerable versions, potentially exposing sensitive information about the command and control infrastructure. Attackers can exploit this to gather intelligence about the C2 server configuration.
💻 Affected Systems
- Cobalt Strike
📦 What is this software?
Cobalt Strike by Helpsystems
⚠️ Risk & Real-World Impact
Worst Case
Attackers fully enumerate Cobalt Strike server configuration, identify all active listeners, obtain beacon payloads, and potentially compromise the entire C2 infrastructure.
Likely Case
Attackers fingerprint the Cobalt Strike instance, identify version information, and gather operational intelligence to plan further attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to information disclosure about the C2 server only.
🎯 Exploit Status
Exploitation requires network access to the Cobalt Strike listener and knowledge of the listener port.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6
Vendor Advisory: https://www.cobaltstrike.com/blog/cobalt-strike-4-6-the-snake-charmer-2/
Restart Required: Yes
Instructions:
1. Download Cobalt Strike 4.6 or later from official sources. 2. Replace existing installation with patched version. 3. Restart all Cobalt Strike services and listeners.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to Cobalt Strike listeners using firewall rules or network segmentation
Listener Replacement
allReplace HTTP(S) listeners with other listener types not affected by this vulnerability
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Cobalt Strike infrastructure
- Monitor for unusual requests to Cobalt Strike listeners and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Send HTTP request to Cobalt Strike listener without leading slash (e.g., 'GET beacon' instead of 'GET /beacon') and check if server responds with informationCheck Version:
Check Cobalt Strike version in teamserver console or about dialogVerify Fix Applied:
Attempt same request after patching; server should not respond with sensitive information📡 Detection & Monitoring
Log Indicators:
- HTTP requests without leading slashes to known Cobalt Strike ports
- Unusual request patterns to listener ports
Network Indicators:
- HTTP traffic to non-standard ports without proper URL structure
- Responses containing Cobalt Strike metadata
SIEM Query:
source_port:80 OR source_port:443 AND (http_request:beacon OR http_request:stager) AND NOT http_request:"/beacon" AND NOT http_request:"/stager"